Drive_Docs Changes to 1.6 and 6.1

Testing/RegoTests/drive/drive01_test.rego

@@ -1508,7 +1508,7 @@ test_SharingChecker_Correct_V1 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1536,7 +1536,7 @@ test_SharingChecker_Correct_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1574,7 +1574,7 @@ test_SharingChecker_Correct_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1584,7 +1584,7 @@ test_SharingChecker_Correct_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Secondary OU"},
                     ]
                 }]
@@ -1644,7 +1644,7 @@ test_SharingChecker_Incorrect_V2 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "ALLOWED"},
+                        {"name": "NEW_VALUE", "value": "ALL"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1662,7 +1662,7 @@ test_SharingChecker_Incorrect_V2 if {
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
     "<ul><li>Test Top-Level OU: ",
     "Access Checker allows users to share ",
-    "files to the public (no Google account required)</li></ul>"])
+    "files to Recipients only, suggested target audience, or public (no Google account required)</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V3 if {
@@ -1675,7 +1675,7 @@ test_SharingChecker_Incorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "ALLOWED"},
+                        {"name": "NEW_VALUE", "value": "ALL"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1685,7 +1685,7 @@ test_SharingChecker_Incorrect_V3 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NOT_ALLOWED"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1703,7 +1703,7 @@ test_SharingChecker_Incorrect_V3 if {
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
     "<ul><li>Test Top-Level OU: ",
     "Access Checker allows users to share ",
-    "files to the public (no Google account required)</li></ul>"])
+    "files to Recipients only, suggested target audience, or public (no Google account required)</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V4 if {
@@ -1716,7 +1716,7 @@ test_SharingChecker_Incorrect_V4 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIES"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Top-Level OU"},
                     ]
                 }]
@@ -1726,7 +1726,7 @@ test_SharingChecker_Incorrect_V4 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "ALLOWED"},
+                        {"name": "NEW_VALUE", "value": "DOMAIN_OR_NAMED_PARTIES"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
                     ]
                 }]
@@ -1744,7 +1744,7 @@ test_SharingChecker_Incorrect_V4 if {
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
     "<ul><li>Test Secondary OU: ",
     "Access Checker allows users to share ",
-    "files to the public (no Google account required)</li></ul>"])
+    "files to Recipients only, or suggested target audience</li></ul>"])
 }
 
 test_SharingChecker_Incorrect_V5 if {
@@ -1757,7 +1757,7 @@ test_SharingChecker_Incorrect_V5 if {
                 "events": [{
                     "parameters": [
                         {"name": "SETTING_NAME", "value": "SHARING_ACCESS_CHECKER_OPTIONS"},
-                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY DOMAIN_OR_NAMED_PARTIE"},
+                        {"name": "NEW_VALUE", "value": "NAMED_PARTIES_ONLY"},
                         {"name": "ORG_UNIT_NAME", "value": "Test Secondary OU"},
                     ]
                 }]

Testing/RegoTests/drive/drive06_test.rego

@@ -252,7 +252,7 @@ test_DriveFs_Setting_InCorrect_V1 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
-    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.</li></ul>"])
 }
 
 test_DriveFs_Setting_InCorrect_V2 if {
@@ -311,7 +311,7 @@ test_DriveFs_Setting_InCorrect_V2 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
-    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.</li></ul>"])
 }
 
 test_DriveFs_Setting_InCorrect_V3 if {
@@ -390,5 +390,5 @@ test_DriveFs_Setting_InCorrect_V3 if {
     not RuleOutput[0].RequirementMet
     not RuleOutput[0].NoSuchEvent
     RuleOutput[0].ReportDetails == concat("", ["The following OUs are non-compliant:",
-    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled, but can be used on any device.</li></ul>"])
+    "<ul><li>Test Top-Level OU: Drive for Desktop is enabled and can be used on any device.</li></ul>"])
 }

baselines/Google Drive and Docs Minimum Viable Secure Configuration Baseline v0.2.md

@@ -98,10 +98,10 @@ Agencies SHALL disable making files and published web content visible to anyone
   - [T1537: Transfer Data to Cloud Account](https://attack.mitre.org/techniques/T1537/)
 
 #### GWS.DRIVEDOCS.1.6v0.2
-Agencies SHALL enable access checking for file sharing outside of Docs or Drive.
+Agencies SHALL set access checking to recipients only.
 
-- _Rationale:_ The Access Checker feature can be configured to allows users to grant access to the public if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients or the suggested target audience.
-- _Last modified:_ July 10, 2023
+- _Rationale:_ The Access Checker feature can be configured to allow users to grant open access if a recipient is missing access, creating the potential for data leakage. This control mitigates this by only allowing access to be granted to recipients.
+- _Last modified:_ June 7, 2024
 
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
@@ -169,7 +169,7 @@ To configure the settings for Sharing options:
 
 #### GWS.DRIVEDOCS.1.6v0.2 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
-2.  Select **Access Checker** -\> **Recipients only, or suggested target audience.**
+2.  Select **Access Checker** -\> **Recipients only.**
 
 #### GWS.DRIVEDOCS.1.7v0.2 Instructions
 1.  Select **Sharing settings** -\> **Sharing options**.
@@ -260,17 +260,17 @@ This section covers whether a security update issued by Google will be applied t
 ### Policies
 
 #### GWS.DRIVEDOCS.3.1v0.2
-Agencies SHALL enable security updates for Drive files.
+Agencies SHALL enable the security update for Drive files.
 
-- _Rationale:_ Google may add new security features over time. Allowing security updates helps ensure that your files are protected with the latest features Google makes available.
+- _Rationale:_ By not enabling the update to the resource key security update a user could potentially gain unauthorized access to files. Enabling this security update decreases risk of unauthorized access and data spillage by controlling access to files in Google Drive.
 - _Last modified:_ July 10, 2023
 
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)
 
 ### Resources
 
--   [Google Workspace Admin Help: Security update for Google Drive](https://support.google.com/drive/answer/10729743?hl=en#zippy=%2Care-any-file-types-not-impacted%2Cwhat-happens-if-i-dont-apply-the-security-update-to-my-files%2Chow-will-this-security-update-change-access-to-my-impacted-files)
+-   [Google Workspace Admin Help: Security update for Google Drive](https://apps.google.com/supportwidget/articlehome?article_url=https%3A%2F%2Fsupport.google.com%2Fa%2Fanswer%2F10685032%3Fvisit_id%3D638533824698144528-3160863719&assistant_event=welcome&assistant_id=mega-bot-shared-drive&product_context=10685032&product_name=UnuFlow&trigger_context=a)
 
 ### Prerequisites
 
@@ -367,10 +367,10 @@ This section addresses Drive for Desktop, a feature that enables users to intera
 ### Policies
 
 #### GWS.DRIVEDOCS.6.1v0.2
-Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices.
+Google Drive for Desktop SHOULD be enabled only for authorized devices.
 
 - _Rationale:_ Some users may attempt to use Drive for Desktop to connect unapproved devices (e.g., a personal computer), to the agency's Google Drive. Even if done without malicious intent, this represents a security risk as the agency has no ability audit or protect such computers.
-- _Last modified:_ July 10, 2023
+- _Last modified:_ June 7, 2024
 
 - MITRE ATT&CK TTP Mapping
   - [T1530: Data from Cloud Storage](https://attack.mitre.org/techniques/T1530/)

drift-rules/GWS Drift Monitoring Rules - Drive and Docs.csv

@@ -4,16 +4,15 @@ GWS.DRIVEDOCS.1.2v0.2,"If disabling sharing outside of the organization's domain
 GWS.DRIVEDOCS.1.3v0.2,"If sharing outside of the organization, then agencies SHALL enable warnings for users when they are about to share something outside of their domain.",Admin Log Event,Change Drive Setting,SHARING_OUTSIDE_DOMAIN,SHARING_ALLOWED_WITH_WARNING,rules/00gjdgxs0qwshr5,
 GWS.DRIVEDOCS.1.4v0.2,"If sharing outside of the organization, then agencies SHALL disable sharing of files with individuals who are not using a Google account.",N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log evemt
 GWS.DRIVEDOCS.1.5v0.2,Agencies SHALL disable making files and published web content visible to anyone with the link.,Admin Log Event,Change Drive Setting,PUBLISHING_TO_WEB,NOT_ALLOWED,rules/00gjdgxs2l9hukl,JK 08-02-23 @ 12:16
-GWS.DRIVEDOCS.1.6v0.2,Agencies SHALL enable access checking for file sharing outside of Docs or Drive.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59
+GWS.DRIVEDOCS.1.6v0.2,Agencies SHOULD set access checking to recipients only.,Admin Log Event,Change Drive Setting,SHARING_ACCESS_CHECKER_OPTIONS,DOMAIN_OR_NAMED_PARTIES,rules/00gjdgxs2qv9x6y,JK 08-02-23 @ 12:59
 GWS.DRIVEDOCS.1.7v0.2,Agencies SHALL NOT allow any users to distribute content from an organization-owned shared drive to shared drives owned by another organizations.,Admin Log Event,Change Drive Setting,SHARING_TEAM_DRIVE_CROSS_DOMAIN_OPTIONS,CROSS_DOMAIN_FROM_INTERNAL_ONLY,rules/00gjdgxs2bll5l2,JK 09-26-23 @ 09:24
 GWS.DRIVEDOCS.1.8v0.2,Agencies SHALL ensure that newly created items assume the default access level of Private to the Owner.,Admin Log Event,Change Drive Setting,DEFAULT_LINK_SHARING_FOR_NEW_DOCS,PRIVATE,rules/00gjdgxs1jfq3ds,JK 08-02-23 @ 13:28
 GWS.DRIVEDOCS.2.1v0.2,Agencies SHOULD NOT allow members with manager access to override shared drive creation settings.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_admin_only,true,rules/00gjdgxs418trv6,JK 08-02-23 @ 13:44
 GWS.DRIVEDOCS.2.2v0.2,Agencies SHOULD NOT allow users outside of their organization to access files in shared drives.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_cross_domain_access,true,rules/00gjdgxs1o31qud,JK 08-02-23 @ 14:12
 GWS.DRIVEDOCS.2.3v0.2,Agencies SHALL allow users who are not shared drive members to be added to files.,Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_direct_access,true,rules/00gjdgxs3mcxcll,JK 08-02-23 @ 14:23
 GWS.DRIVEDOCS.2.4v0.2,"Agencies SHALL NOT allow viewers and commenters to download, print, and copy files.",Admin Log Event,Change Application Setting,Shared Drive Creation new_team_drive_restricts_download,true,rules/00gjdgxs18yk89t,JK 08-02-23 @ 14:30
-GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable security updates for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41
+GWS.DRIVEDOCS.3.1v0.2,Agencies SHALL enable the security update for Drive files.,Admin Log Event,Change Application Setting,Link Security Update Settings less_secure_link_option,REMOVE_LESS_SECURE_LINKS,rules/00gjdgxs0mrpx7o,JK 08-02-23 @ 14:41
 GWS.DRIVEDOCS.4.1v0.2,Agencies SHOULD disable Drive SDK access to restrict information sharing and prevent data leakage.,Admin Log Event,Change Drive Setting,ENABLE_DRIVE_APPS,true,rules/00gjdgxs1mm4n4i,JK 08-02-23 @ 14:49
 GWS.DRIVEDOCS.5.1v0.2,Agencies SHALL disable Add-Ons with the exception of those that are approved within the organization.,Admin Log Event,Change Drive Setting,ENABLE_DOCS_ADD_ONS,false,rules/00gjdgxs4d794jn,JK 08-02-23 @ 15:14
-GWS.DRIVEDOCS.6.1v0.2(a),Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices.,Admin Log Event,Change Application Setting,	DriveFsSettingsProto drive_fs_enabled,false,rules/00gjdgxs0yziufl,JK 10-19-23 @ 13:47
-GWS.DRIVEDOCS.6.1v0.2(b),Agencies SHOULD either disable Google Drive for Desktop or only allow Google Drive for Desktop on authorized devices.,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01
+GWS.DRIVEDOCS.6.1v0.2,Google Drive for Desktop SHOULD be enabled only for authorized devices..,Admin Log Event,Change Application Setting,DriveFsSettingsProto company_owned_only_enabled,true,rules/00gjdgxs4ghyiin,JK 10-19-23 @ 14:01
 GWS.DRIVEDOCS.7.1v0.2,Agencies SHOULD configure DLP rules to block or warn on sharing files with sensitive data.,N/A,N/A,N/A,N/A,N/A,Not Alertable due to no log event